> is allowed to use TIOCSETD. Therefore anyone can set PPP line discipline > on a tty under his control and sent forged datagrams right into the kernel > network subsystem. Yep. > I do not believe there is any reason why mortals should ever be allowed to > use TIOCSETD (at least under Linux), therefore adding something like > "if (!suser()) return -EPERM;" under "case TIOCSETD:" in drivers/char/ Several daemons drop privilege, you stop them restoring the state and thus expose a new exciting hole. Just copy the 2.2 fix - stop the ldisc open, that enforces what you need. A related issue by the way is that pppd and other apps must be careful to avoid other users of the tty holding on to the handle, otherwise an attack exists where you may be able to keep access to a tty that is turned slip by another process Alan
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:48 PDT